26 



CLAIMS 

1 . A cryptographic method in an electronic 
component during which a modular exponentiation of the 
type x'^d is performed, with d an integer exponent of m+1 

5 bits, by scanning the bits of d from left to right in a 
loop indexed by i varying from m to 0 and calculating 
and storing in an accumulator (RO) , at each/ turn of 
rank i, an updated partial result equal to x'^bCi), b(i) 
being the m-i+1 most significant bits of the exponent d 
10 (b(i) = d^->i) , 

the method being characterised in that, at the 
end of a turn of rank i(j) (i = i(0)) chosen randomly, 
a randomisation step El is performed during which: 

El: a random number z (z = b(i(j)), 
15 z = b (i ( j ) ) . 2^, z = u) is subtracted from a part of the 
bits of d not yet used (di.i.>o) in the method 

then, after having used the bits of d modified by 
the randomisation step El, a consolidation step E2 is 
performed during which: 
20 E2: the result of the multiplication of the 

content of the accumulator (x'^bd)) by a number that is 
a function of x'^z stored in a register (Rl) is stored 
(RO <- RlxRO) in the accumulator (RO) . 

2 . Method according to the preceding claim, in 
25 which step El is repeated one or more times, at the end 

of various turns of rank i(j) (i = i(0), i = i(l), ...) 
chosen randomly between 0 and m. 
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3 . Method according to the preceding claim, in 
which, at each turn i, it is decided randomly (p=l) 
whether or not step El is performed. 

4 . A cryptographic method according to one of 
5 claims 1 to 3, in which the number z (z=b(i(j)), z = 

b(i(j)).2^) is a function of the exponent d, in which, 
during the randomisation step, the result of the 
multiplication of the content of the accumulator 
(x^b(i)) by the content of the register (Rl) is also 
10 stored (Rl <- ROxRl) in the said register (Rl) . 

5. A method according to claim 4, in which the 
consolidation step E2 is performed after the last turn 
of rank i equal to 0 . 

6 . A method according to the preceding claim, 
15 during which, during step El, the number b(i) is 

subtracted from d. ' 

7. A method according to claim 6, during which 
the following is effected: 

Input: X, d = (d^, . . . , do) 2 
2 0 Output: y = x^'d mod N 

RO 1; Rl <-l; R2 <- X, i <- m 
as long as i > 0, do: 

RO <- ROxRO mod N 

if di = 1 then RO <- R0xR2 mod N 
25 p <- R{0, 1} 

if ( (p = 1) and di.i_^o ^ d^-^i then 

d ^ d - dm->i 

Rl <- RlxRO mod N 
end if 
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i <- i-1 
end as long as 
RO <- ROxRl mod N 
return RO 

5 8. A method according to claim 5^ during which 

step El is modified as follows: 

El: a number equal to g.b(i) is subtracted from 
d, g being a positive integer; the current partial 
result (x'^bCi)) is raised to the power of g and the 
10 result is stored in the register (Rl) . 

9. A method according to the preceding claim, in 
which g is equal to 2^, x being a random number chosen 
between 0 and T. 

10. A method according to the preceding, in 
15 which the following is effected: 

Input: X, d = (dm, . . . , do) 2 
Output : y = x'^d mod N 

RO <- 1; Rl <-l; R2 <- x, i <- m 
as long as i > 0, do: 
20 RO <- ROxRO mod N 

if di = 1 then RO <- R0xR2 mod N 

p <- R{0, 1}; x-<- R{0, T} 

if ( (p = 1) and (di-i-^x > dm_,i) ) then 

di-l^T <— di-i_^x - dm->i 
25 R3 <- RO 

as long as (x > 0) do: 

R3 R3'^2 mod N; x <- x-1 
end as long as 
Rl <- RlxR3 mod N 



end if 

i <- i-1 
end as long as 
RO <- ROxRl mod N 
return RO 

11. A method according to one of claims 1 to 4, 
in which the consolidation step E2 is performed at the 
end of the rank using the last bit of d modified during 
step El . 

12. A method according to claim 11, in the 
course of which, during step El, the number b(i) is 
subtracted from the bits of d of rank i(j) - c(j) to 
i(j)-l, c(j) being an integer, and the content of the 
accumulator (x^'bdCj)) is stored in the register (Rl) . 

13 . A method according to the preceding claim, 
in the course of which, during the turn of rank i(j+l), 
it is chosen randomly to perform step El only if i(j+l) 
< i(j)-c(j). (a = 1 free semaphore). 

14. A method according to claim 12 or 13, in 
which c(j) is equal to m-i(j)+l. 

15. A method according to the preceding claim, 
during which the fqllowj^ng steps^ performed: 

Input: X, d = (dm, . . . ,do)2 
Output : y = xM mod N 

RO <- 1; Rl <-l; R2 <- X, 

i <-m; c<- -1; a <- 1 
as long as i > 0, do: 

RO <- ROxRO mod N 

if di = 1 then RO <- R0xR2 mod N end if 
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if (2i > m+1) and (a=l) then c <- m-i + 1 

if not a = 0 

end if 

p <- R{0, 1} 

5 8 <- p and (di.i .>i_c > dm^i) and a 

if s = 1 then 

Rl <- RO; a <- 0 

di-l -> i-c <" di-i -> i-c - dm->i 

end if 

10 if c = 0 then 

RO <- ROxRl mod N; a <- 1 
end if 

c <- c-1; i <- i-1 
end as long as 
15 return RO 

16. A method according to claim 12 or 13, in 
which c(j) is chosen randomly between i(j) and m- 
i(j)+l. 

17. A method according to the preceding claim, 
2 0 during which the following is effected: 

Input: X, d = (dm, . . . ,do)2 
Output : y = x'^d mod N 

RO <- 1; Rl <~ 1; R2 <- X, 
i <- m; c <- -1; a<- 1 
25 as long as i > 0, do: 

RO <- ROxRO mod N 

if di = 1 then RO <- R0xR2 mod N 
if (2i > m+1) and (a = 1) 

then c <- R{m-i+l, i} 
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if not a = 0 
s <- p and (di-i ->i-c ^ dtn->i) and a 
if 8 = 1 then 

Rl <- RO; a <- 0 
5 di-i -> i_c <- di-i -> i-c - dni->i 

end if 

if c = 0 then 

RO <- ROxRl mod N; a <- 1 
end if 

10 c<-c-l;i<-i-l 

end as long as 
return RO 

18. A method according to one of claims 1 to 2 , 
in which the number z is a number u (z = u) of v bits 

15 chosen randomly and independent of the exponent d. 

19. A method according to the preceding claim, 
in which, during step El, the number u is subtracted 
from a packet w of v bits of d. 

20. A method according to the preceding claim, 
20 during which: 

• if H(w-u) + 1 < H(w), it is chosen to perform a 
r andomi s a t i on s t ep El , - 

• if H(w-u) + 1 > H(w), it is chosen not to 
perform step El, 

25 • if H(w-l) + 1 = H(w), it is chosen randomly to 

perform or not a randomisation step El. 

21. A method according to the preceding claim, 
during which the following is effected: 

Input: X, d = (dm/..., do) 2 



Parameters: v, k 



Output : 



y = mod N 



RO <- 1; R2 <- X; i <-m; L = {} 
as long as 1 > 0, do: 

RO <- ROxRO mod N 

if di = 1 then RO <- R0xR2 mod N end if 
if i = m mod ( (m+1) /k) ) then a<-l end i 
if a = 1 and L = {} then 

S <- 0: u <- R {0, 2''-l}; 

Rl = x^'u mod N 
end if 

w <- di->i-v+i 
h <- H(w) 

if w > u then A <- w-u; h^ <- 1 + H(A) 



end if 

p <- R{0, 1} 

if [ (a=0) A(i-v+l>0) ] A 

[(h>hA) or ((p=l) and (h=hA) ) ] then 
di->i-vi-i <-A; L <" L ^ {i-v+l} 

end if 

if (i 8 L) then 
RO <- ROxRl mod N 
L <- L\{±} 



if not hA < 



v+2 



end if 



i < 



- i-1 



end as long as 



return RO 



